Tag Archives: LockBox

Imagine that you are a bloody idiot and trust everything what EMC write in their Documentation and, so, when installing content server you have chosen to use LockBox option. The problem is LockBox does protect nothing and, moreover, it is sensitive to machine configuration (MAC address, ip address, hostname, CPU), so, at one point you will get something like:

[dmadmin@demo-server ~]$ cat /opt/dctm/dba/log/MyRepo.log
The Lockbox stable value threshold was not met because the system fingerprint has changed.
To reset the system fingerprint, open the Lockbox using the passphrase.
The Lockbox stable value threshold was not met because the system fingerprint has changed.
To reset the system fingerprint, open the Lockbox using the passphrase.
2016-11-06T01:04:35.281642 2325[2325] 0000000000000000 [DM_CRYPTO_F_KEYSTORE_INIT]
fatal: "Failed to initialize keystore at /opt/dctm/dba/secure/aek.key. Internal error ..."
[dmadmin@demo-server ~]$

What to do? Actually, EMC released a special utility (dm_crypto_manage_lockbox) which allows to reset system fingerprints in LockBox, but there is another option – remove LockBox completely and switch to the old good aek.key, all what we need is:

Share this:

Like this:

Q:

Hi,
I am trying to write a standalone DF/D2 program. I create a DFC session and then make it in D2 context by D2Session.initTBO. I think perform normal DFC set, save operation on a sysobject. When I try to apply a D2 configuration like D2AuditConfig.apply I get the below error How to correct this??

Like this:

According to release notes Content Server got following security “improvements” in 7.2:

I have no idea what does mean “dm_crypto_boot utility is enhanced to load an AEK into the shared memory” because this capability exists for a long time in Content Server, for example, quote from Admin Guide 6.7:

so, “dm_crypto_boot utility is enhanced to load an AEK into the shared memory” is not a security enhancement (actually, folks said me that now installer enforces entering passphrase for aek.key during installation), and the only enhancement is a support of RSA Lockbox, moreover, according to EMC it is the only option to “prevent” aek.key file from hijacking, but if you read carefully my post about CVE-2014-2515, you should know that RSA Lockbox does not introduce any security features – to open RSA Lockbox on another machine it’s enough to hijack following files from victim machine:

/etc/sysconfig/network – to get hostname

/etc/udev/rules.d/70-persistent-net.rules – to get information about network interfaces

/etc/sysconfig/network-scripts/ifcfg-*, /var/lib/dhclient/dhclient*.leases – to get more information about network interfaces